A leading semiconductor company that provides system-on-chip solutions to many manufacturers, MediaTek, has confirmed a serious vulnerability that is affecting a fraction of handsets running on Android KitKat 4.4. When the device is ready, each handset has to undergo a debug test to check the inner inter-operability. The manufacturer has to disable the feature before shipping it, but some of them failed to do so.
A user that has the root access to the device can attack the device that is vulnerable. A security researcher, Justin Case, noticed this vulnerability. He said in his statement that the root user can do a lot of things like accessing the protected data, spy on a user, monitor communications and much more.
There is a long list of problems which can be caused due to this issue. The private data of all the users who are using the vulnerable devices are under threat of getting leaked.
In his tweet, Case mentioned MediaTek and said that as MediaTek has to break basic security feature to run this backdoor feature, they have left the ReadOnly options not so “Read Only”. To this tweet, MediaTek replied that they are working on the patch to address the issue.
So Mediatek broke basic security features to have this backdoor work. Readonly properties are NOT read only! pic.twitter.com/pEjtMNpo9v
— Jon Sawyer (@jcase) January 13, 2016
In their statement, MediaTek informed the users about the vulnerability without leaking much information about the process.
When MediaTek was asked about the manufacturer and particular models which can be vulnerable to attack, they simply said that only a small portion of the handsets is under threat and they have already alarmed the concerned manufacturers on the matter.
There are a lot of manufacturers who are using the MediaTek chipsets and such security loopholes are quite disturbing. Justin Case has informed the public in time, but a lot of damage might have already taken place which only be revealed with time.
@jcase Hi, we have been working on a patch and expect it to be ready shortly. Thanks for being on the lookout though. Inputs always welcome!
— MediaTek (@MediaTek) January 14, 2016
Hopefully, MediaTek will address the issue and release the patch as soon as possible. This also shows how important it is for a chipset company to issue proper guidelines for the manufacturers to make sure private data remains private in future.